The Kimwolf botnet has infected an estimated 2 million Android devices. Security experts warn that the malicious network spreads via residential proxies and abuses devices for DDoS attacks. Cloudflare recorded peaks of up to 29.7 Tbps.
The Kimwolf botnet has been very active since early August 2025. Security company Synthient estimates that the number of infected devices has now exceeded 2 million. The network primarily targets Android devices with an unsecured Android Debug Bridge (ADB) connection. It is noteworthy that the infections occur via residential proxies.
Proxy providers are advised to block high-risk ports and restrict access to the local network. Users can check whether they have been affected at synthient.com/check. Infected TV boxes must be wiped or destroyed. Organizations must block connections to the aforementioned C2 servers and domains.
Novel exploitation of proxy networks
Kimwolf is the Android variant of the Aisuru DDoS botnet. The network grew to at least 2 million compromised devices in just a few months. The rapid growth is due to a new way it exploits residential proxy networks.
Cloudflare reported that Kimwolf carried out DDoS attacks with peak rates of up to 29.7 Tbps or 14.1 Bpps. The actors behind the botnet earn money from app installations, the sale of residential proxy bandwidth, and DDoS functionality. Synthient’s honeypot network recorded an increase in targeting of the domain xd[.]resi[.]to from the IPIDEA proxy network on November 12. This domain points to 0[.]0[.]0[.]0, which refers to the device running the proxy SDK.
Synthient expects more threat actors to become interested in unrestricted access to proxy networks. The goal is to infect devices, gain network access, or access sensitive information.
Tip: ASUS responds to botnet attack: factory reset necessary